B5 



Europaisches Patent amt 
European Patent Office 
(19) mJMmI Off ice europeen des brevets 



(11) EP 1 050 789 A2 



(12) EUROPEAN PATENT APPLICATION 

(43) Date of publication: ( 51 ) , nt . a. 7 : G06F 1/00 

08.11.2000 Bulletin 2000/45 



(21) Application number: 00303741.3 

(22) Date of filing: 04.05.2000 



(84) 


Designated Contracting States: 


, Nystrfcm, Magnus 




AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Massachusetts 01742 (US) 




MC NL PT SE 


, Kaliski, Jr. Burton S. 




Designated Extension States: 


Massachusetts 02181 (US) 




AL LT LV MK RO SI 


, Rivest, Ronald L. 






Arlington Massachusetts 02174 (US) 


(30) 


Priority: 04.05.1999 US 304775 






(74) Representative: 


(71) 


Applicant: RSA Security Inc. 


Butler, Michael John 


Bedford, MA 01 730 (US) 


Frank B. Dehn & Co., 




European Patent Attorneys, 


(72) 


Inventors: 


179 Queen Victoria Street 


, Brainard, JohnG. 


London EC4V 4EL (GB) 




Sudbury Massachusetts 01776 (US) 





(54) System and method for authentication seed distribution 



< 

0> 
CO 



(57) In one embodiment of a user authentication 

system and method according to the invention, a device 
shares a secret, referred to as a master seed, with a 
server. The device and the server both derive one or more 
secrets, referred to as verifier seeds, from the master 
seed, using a key derivation function. The server shares a 
verifier seed with one or more verifiers. The device, or an 
entity using the device, can authenticate with one of the 
verifiers using the appropriate verifier seed. In this way, 
the device and the verifier can share a secret, the 
verifier seed for that verifier, without that verifier 
knowing the master seed, or any other verifier seeds. 
Thus, the device need only store the one master seed, 
have access to the information necessary to correctly 
derive the appropriate seed, and have seed derivation 
capability. A verifier cannot compromise the master seed, 
because the verifier does not have access to the master 
seed. 
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Description 
Technical Field 

5 This invention relates to the field of computer-based security systems and, more particularly, to the distribution of 

authentication seeds. 

Back ground Information 

10 In security systems, verifiers are used to authenticate, that is to verify the identity of, a person or other entity such 
as a computer. When an entity has been authenticated, meaning that the identity of the entity has been determined by the 
verifier, the entity is allowed access, for example physical access to a physical location, in the case of a physical 
security system, or electronic access to information (e.g. financial records, computer data, network access, etc.), in data 
security systems. 

f 5 There are many possible configurations for verifiers. Verifiers can receive input from keypads, keyboards, card readers, 
cameras, microphones, telephone and computer networks, and other such data input devices. As output, verifiers activate 
physical mechanisms, send electronic data signals, configure software, or take such other action to provide access. 
Verifiers can be implemented in various ways, for example as special purpose electronic and/or mechanical systems, or as 
general purpose computers, possibly, but not necessarily, in electrical communication with special-purpose hardware. 

20 Some verifiers use knowledge of a shared secret to authenticate an entity. For example, knowledge of a personal 
identification number, password, or passphrase can be used to verify an entity. At the time that authentication takes place, 
the entity either reveals the secret or otherwise proves knowledge of the secret If the entity shows knowledge of the secret 
the entity is authenticated. 

In some systems, an entity uses a physical or digital device, referred to as a token, that incorporates a secret The 
25 secret, stored in some manner in the device, may or may not be known to the entity using the device. A common door key 
is one simple mechanical example of such a device. The shape of the key is a shared secret When a key is Inserted into a 
lock, the lock verifies that the key is of the correct shape. The door key shows knowledge of the secret to the verifier (the 
lock), and allows entry. An attacker who learns the exact shape of the key can generate an appropriate token and 
authenticate to the lock. 

A bank card is a device that can contain a secret identification number that is revealed when the card is accessed by an 
automatic teller machine ("ATM"). Some bank cards incorporate cryptography to make forging of bank cards more difficult. 
Also, to provide an added layer of security, automatic teller machines require the user to possess the device (bank card) 
containing secret information, and require the user to enter a Personal Identification Number ("PIN"), which is another 
secret shared between the bank's verifier and the account holder. 

Some devices, to prove knowledge of a secret contained within the device, provide an authentication code that is based 
upon, but different from, the secret code contained within the device. The use of such an authentication code allows the 
device to show knowledge of a secret without revealing it In some systems, the authentication code is based on time- 
dependent information. The use of this sort of device has security benefits in that the secret is more difficult to determine 
by eavesdropping in the communications channel between the entity and the verifier, since the secret itself is not revealed. 
One example of this sort of device used by a person to authenticate to a verifier Is a token that includes an 
40 authentication code display. The person reads an authentication code from the display, and transmits the authentication 
code to the verifier. In such a system, the user may never know the shared secret Some such tokens accept user Input 
such as a PIN, and provide a result in response to the user input as well as other information (such as time-dependent 
Information). 

One token of this type stores a secret code, referred to as a seed, and mathematically combines the secret code with a 
45 time-varying value and a personal identification code provided by the user to generate an authentication code. The 
mathematical combination takes place in such a way that the secret code stored in the token cannot be determined from 
the resutt-the secret code is combined cryptograph] cally with the current time and other information. In another system that 
is a challenge-response system, meaning that the verifier transmits a challenge for the user to respond to, the secret code 
is cryptographlcally combined with the challenge to produce an output that is sent to the verifier as a response to the 
50 challenge. 

To verify an entity using a shared secret, the verifier needs to have knowledge of the shared secret. In a security system 
that verifies a large number of entities, there is a tradeoff between security and verifier availability. If there are a 
large number of verifiers, there is more likely to be a verifier available when a particular entity requires authentication. 
However, as the number of verifiers that have knowledge of a secret increases, it is increasingly more difficult to maintain 
55 the secrecy of the secret For example, as the number of verifiers increases, so does the chance that one of the verifiers 
can be compromised in some fashion. Yet, if the number of verifiers is limited, it possible that a verifier will not be 
available to authenticate an entity when the entity requires authentication. 

In addition, a single device presently cannot be used to access muJtipte independent services. For example, the same 
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device cannot be used to access an enterprise's computer system and a financial institution's web page. Even if each 
independent service trusts the user and the device, the services do not trust each other. In the example just mentioned, a 
bank does not trust the user's employer. If each of the services share the same secret with the device, then each service 
has information that can compromise the others. This prevents use of a single device from being used with verifiers 

5 associated with independent services. 

The utility of a security system is limited by the number and variety of verifiers to which an entity can conveniently 
authenticate.. If the entity interacts with a number of verifiers that share different secrets, with that entity, the. entity 
wiD have to manage a number of secrets (or devices containing secrets), where each secret is used to authenticate to one 
or small number of verifiers. Managing a large number of secrets adds complexity to a computer-based entity, and is 

10 inconvenient for a human entity. Even the process of securely sharing a different secret between an entity and each of a 
large number of verifiers can be inconvenient and cumbersome. 

Similar issues arise in the area of secure cornrnunications. where a single shared secret is used as an encryption key. To 
communicate securely with many other entities, an entity either has to have a separate shared secret with each other entity, 
or has to share the same secret with more than one entity, thereby reducing the secrecy (and security) of the shared 

15 secret. 

Public key cryptography can be used to avoid the need to securely share a secret between each two parties that wish to 
communicate or authenticate. However, public-key cryptography is impractical in many user and device authentication 
settings, at least partly because of the large computation power required to accomplish the calculations, and the complexity 
of managing certificates and revocation lists. 

20 

Summary of the Invention 



The system and method of the present invention allows an entity to authenticate to many verifiers without having to 
manage a large number of secrets. An authentication system that is simple, and that allows the user to manage just one 
secret, yet allows the user to authenticate with multiple verifiers is a great improvement over the prior art. For example, a 

25 token-based system and method could allow authentication with some or aO of such diverse systems as (but not limited to) 
file servers inside and outside of one or more enterprises, remote access servers, web servers associated with various 
services (e.g. financial, business, utilities, entertainment, etc.), other computers, a physical security system within a 
home or office, and a bank automatic teller machine. Such an authentication method and system avoids the complexity and 
cost of managing different secrets or devices for different services. 

30 The benefit of associating a single secret with a user that is useful with multiple verifiers is beneficial even if the 

device is an electronic waDet stored on a personal computer, where the memory and processing limitations are much less 
restrictive than in a smart card or other small-sized token with limited memory and processing power. The stmpDdty allows 
for smaller, faster implementations, and also avoids the complexity of sharing each secret 

In an embodiment of a user authentication method and system according to the invention, a device shares a secret, 

35 referred to as a master seed, with a server. The device and the server both derive one or more secrets, referred to as 
verifier seeds, from the master seed, using a key derivation function. The server shares a verifier seed with one or more 
verifiers. The device, or an entity using the device, can authenticate with one of the verifiers using the appropriate 
verifier seed. In this way, the device and the verifier can share a secret, the verifier seed, without that verifier having 
access to the master seed, or any other verifier seeds. Thus, the device need orty store the one master seed, have access 

40 to the information necessary to correctly derive the appropriate verifier seed, and have seed derivation capability. An 
individual verifier cannot compromise the master seed, because the verifier does not have access to the master seed. In 
addition, if a particular verifier is compromised, only that verifier seed is affected, and other verifiers using other 
verifier seeds are not compromised. 

In one aspect of the invention, a method for distributing authentication information associated with a device includes 

45 generating a master seed associated with the device, deriving a verifier seed using the master seed and information 
associated with a verifier, and transmitting the verifier seed to the verifier. In one embodiment, the method includes, after 
the generating step, the step of transmitting the master seed to the device. In another embodiment the method includes, 
after the generating step, sharing the master seed with the device and a server. In another embodiment the method 
includes, after the transmitting step, deriving a second verifier seed using the master seed and information associated with 

^ a second verifier, and transmitting the second verifier seed to the second verifier. In another embodiment, the method 
includes, after the transmitting step, generating an authentication code in response to the verifier seed. 

In one embodiment the generating step includes generating an authentication code in response to the verifier seed and 
a time dependent value. In another embodiment, the method includes the step of authenticating using the authentication 
code. In another embodiment, the authenticating step includes authenticating a user or a device by verifying the 

M authentication code. In another embodiment, the authenticating step includes transmitting the authentication code to the 
verifier. In another embodiment, the generating step includes randomly generating and/or pseud ©randomly generating the 
master seed. 

In one embodiment the deriving step includes deriving the verifier seed in response to a time Identifier. In another 
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embodiment, the deriving step includes deriving a verifier seed by using the master seed and information associated with a 
verifier as inputs to a key derivation function. In another embodiment the key derivation function is a hash function. 

In another aspect of the invention, a system for distributing authentication information associated with a device includes 
a seed generator for generating a master seed associated with a device, a server for deriving a verifier seed using the 
master seed and information associated with a verifier, and a transmitter for transmitting the verifier seed to the verifier. 
In one embodiment, the system includes a transmitter for transmitting the master seed to the device. In another 
embodiment the system includes a. communication channel for sharing the master seed with the device and the server. In 
another embodiment, the server derives a second verifier seed using the master seed and information associated with a 
second verifier, and the transmitter transmits the second verifier seed to the second verifier. In another embodiment, the 
system includes an authentication code generator for generating an authentication code in response to the verifier seed. In 
another embodiment the system includes an authentication code generator for generating an authentication code in 
response to the verifier seed and a time dependent value. In another embodiment, the seed generator is a random 
generator and/or a pseudorandom generator. In another embodiment, the server includes a key derivation function. 

In another aspect of the invention, a method for authentication includes storing a master seed associated with a device, 
deriving a verifier seed using the master seed and information associated with a verifier, and generating an authentication 
code in response to the verifier seed. In one embodiment the method includes authenticating a user with the authentication 
code. In another embodiment, the method includes transmitting the authentication code to a verifier. In another 
embodiment the method includes receiving the authentication code by a verifier. 

In another aspect of the invention, an authentication system includes a memory for storing a master seed associated 
with a device, a server for deriving a verifier seed using the master seed and informalion associated witti a verifier, and an 
authentication code generator for generating an authentication code in response to the verifier seed. 

In another aspect of the invention, a verifier Includes a data store for storing a verifier seed associated with a device, 
an input for receiving an input authentication code, and an authentJcator for determining whether the input authentication 
code was correctly generated in response to the verifier seed. 

In another aspect of the invention, a token includes a data store for storing a master seed, a key derivation function for 
deriving a verifier seed from a master seed in response to information associated with a verifier, an authentication code 
generator for generating an authentication code in response to a verifier seed, and an output for providing the 
authentication code to a verifier. 

In another aspect of the invention, an authentication method includes generating a master seed, sharing the master 
seed between a token and a server, deriving a verifier seed from the master seed using a key derivation function, and 
transmitting an authentication code responsive to the verifier seed. 

Brief Description of the Drawings 

In the drawings, like reference characters generally refer to the same parts throughout the different views. Also, the 
drawings are not necessarily to scale, emphasis instead generally being placed upon illustrating the principles of the 
invention. 

FIG. 1 is a block diagram of an embodiment of a system according to the invention; 

FIG. 2 is a block diagram of an embodiment of a system with multiple verifiers according to the Invention. 

FIG. 3 is a flowchart of an embodiment of an authentication method according to the invention; 

FIG. 4 is a block diagram of an embodiment of the Invention using a token; and 

FIG. 5 is a flowchart of an authentication method according to the invention. 



Description 

Referring to FIG. 1, in one embodiment a master seed S M 100 is generated for a device 102. The master seed S M 100 
is a secret that is shared by the device 102 and the server 104. In one embodiment the server 104 may be exclusively a 
seed distribution server, and in other embodiments, the server 104 is a data server, such as a file server, web server, or 
authentication server, that incorporates seed distribution functionality. In one embodiment the master seed 100 is 
generated randomly, for example by using a sensor observing a sufficiently random physical event In another embodiment 
the master seed 100 is generated by a pseudorandom number generator. In other embodiments the master 
seed S„ 100 is generated in other ways that produce a secret number that Is statisticalfy difficult to predict 

The master seed ^ 100 is. in various embodiments, generated by the device 102, the server 104, or by another entity 
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used for seed generation. The master seed S„ 100 te shared by the device 102 and the server 104, preferably In a private 
manner, for example over a secure communications link. In one embodiment, the device 102 generates the master 
seed S„ 100 and shares it with the server 104. In another embodiment, the server 104 generates the master seed S M 100 
and shares it with the device 102. In yet another embodiment, another entity, a seed generator (not shown In FIG. 1), 
5 generates the master seed 100, and communicates it to either the device 102 or the server 104 for sharing with the 
other. In still another embodiment, the seed generator communicates the master seed S„ 100 directly to both the device 

10? and the server 104 . • . . ■ 

The server 104 generates a verifier seed Sy associated with a verifier 108. The server 104 generates the verifier 
seed by using a key derivation function "KDF." Key derivation functions are well known in the field of encryption 
10 relating to user-provided passwords. User-provided passwords are generally not directly useful as an encryption key In 
conventional cryptosystems. Systems that use passwords as a basis for encryption generally derive an encryption key from 
the password using a key derivation function. Key derivation functions are generally chosen for a capability to generate 
relatively distinct outputs for different inputs, and because they are hard to reverse, meaning that it is difficult, given a 
particular output, to determine the input. Various key derivation functions are based on hash functions, pseudorandom 
15 functions, and so on. 

Key derivation functions typically combine the password with other information, referred to as a salt. The salt need not 
be a secret value. An iterative function also may be Included in a key derivation function. A number, referred to as an 
iteration count can be used to indicate how many times to perform an underlying function by which the key is derived. The 
incorporation of the iteration count into the key derivation function Increases the effort required to derive an encryption 

20 key from a password; A modest number of iterations, for example 1000, is not likely to be a burden for legitimate parties 
when computing a key, but ft will be a significant burden for attackers. If the password value is a large random value, a 
smaD iteration count may be used 

In one embodiment, a key derivation function called PBKDF2 is used to implement the invention. PBKDF2 uses the 
message authentication code HMAC-SHA-1, which is a message authentication code based on the SHA-1 hash function. 

25 HMAC-SHA-1 takes two arguments as input. The first argument is an encryption key. and the second argument is text that 
is encrypted by the encryption key. HMAC-SHA-1 has a variable encryption key length and produces a 20-octet (160-bit) 
output value. When PBKDF2 uses the underlying function HMAC-SHA-1, it provides two inputs to HMAC-SHA-1, and 
HMAC-SHA-1 provides a 160-bit output in response. 

The key derivation function PBKDF2 has as inputs a password (P). a salt (S), an iteration count (c). and a length (Len) in 

3o octets (8-bit bytes). PBKDF2 computes each block of derived output independently by applying the underlying function 
(HMAC-SHA-1) for (c) iterations. A block is the number of bits produced as output by the undertying function, which is 160 
bits for HMAC-SHA-1. On the first iteration, the password (P) is the first argument to the underlying function, and the salt 
(S) concatenated with the block number is the, second argument to the underlying function. The underlying function 
encrypts the salt concatenated with the block number using the password as the encryption key/In subsequent iterations, 
the result of the previous iteration is passed as the second argument to the underlying function, with the password again 

35 used as the encryption key. The results of all the iterations are combined, using the exclusive-or operation to produce the 
final result. 

In more formal notation, the PBKDF2 key derivation function can be described as: 

PBKDF2 (P, S, c, i)=U,\xorU 7 Vor ...\xor U where 
40 U^PRF[P,S || lnt(/)), 

U=PRF(P, UJ, 
U=PRF(P, U^). 



Here, INT (/) is a four-octet encoding of the block number /, most significant octet first, and PRF is the underlying 
function. In the embodiment just described, PRF is HMAC-SHA-1. It should be clear that other key derivation functions 
would be similarly useful, and various substitutions for the verifier information and other Information are possible, as 
required by the particular key derivation function. Key derivation functions based on underlying hash functions, block 
ciphers, message authentication codes, and so on are intended to be within the scope of the invention. 

In one embodiment, the key derivation function PBKDF2 is used to derive a verifier seed from a master seed by using 
the master seed as the password P, and the concatenation of a verifier identifier and a time identifier as the salt S. The 
inputs to the key derivation function are thus the master seed, and the concatenated verifier identifier and time identifier. 
Of course, either the verifier identifier and/or the time identifier might not be included, and instead a default value used. 
Because this information substitutes for the salt, the verifier identifier and the time identifier do not have to be secret, 
and can be public information. As further described below, the verifier identifier V D includes information about the verifier, 
and also can include other information, such as a time value. 

In one embodiment, the key derivation function KDF takes as inputs the master seed S„ 100 and identifying information 
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verifier identifier before being provided to the key derivation function. The key derivation function provides, as an output, a 
verifier seed specific to the master seed and the verifier. 

The method further includes transmitting the verifier seed Sy to a verifier (STEP 202). Preferably, the transmission 
occurs over a secure channel. For example, in one embodiment, the verifier seed Sy is transmitted to a verifier over an 

5 encrypted network connection. In another embodiment, the verifier seed Sy is transmitted to a verifier by storing the seed 
on portable media such as a floppy disk, and carrying the disk to the verifier. In another embodiment, the verifier 
seed Sy is transmitted to the verifier by. entering the information directly into the verifier, by. a. keypad; keyboard, or. 
other input. Once transmitted to the verifier, the secret shared by the verifier 108 and the device 102, the verifier seed Sy, 
can be used by the verifier for authentication, encryption, or communication. 

10 Referring to FIG. 4, an embodiment of such an authentication system is implemented with a token 21 1. In one such 
embodiment, the token 211 is a hardware token implemented as a credit-card sized device that Incorporates a 
microprocessor with memory and associated hardware logic and firmware, a battery, an LCD display. In one embodimenl, 
the token 211 also accepts data input, for example by buttons, a keypad, or a pressure-sensitive display. A master 
seed S„ is generated for each hardware token 211 by a seed generator 210. The seed generator 210 is a random number 

15 generator configured to output random seeds. In one embodiment the master seeds S M generated by the seed generator 

210 are random numbers of 64 or 128 bit length. 

In one embodiment the memory of the hardware token 211 is programmed during manufacture with the master 
seed S M for that token 211, as well as with the current time, and also with verifier/and or time identifier information. In 
another embodiment, any or aD of this information is entered into the memory of the hardware token electronically via a data 

20 cornmunication path or by using specific input button sequences. The master seed % for the token is also transmitted to 
a seed distribution server 212 via a secure channel. In one embodiment, the master seed is recorded on portable media, 
such as a floppy disk, by the seed generator 210, arid the disk is carried to the seed distribution server 212. In another 
embodiment, the master seed S M Is transmitted over a data network. In other embodiments, other transmission schemes 
are used to provide the server with the master seed S M associated with a particular token 21 1. Thus, the token 211 and the 

2 5 seed distribution server 212 share the secret of the master seed Sm. 

The seed distribution server 212 generates verifier-specific seeds for the various verifiers 220-222. Three verifiers, V 0 220, 
V 1 221, and V 2 222 are shown in the figure as an example of a plurality of verifiers, and not to limit the invention to any 
particular number of verifiers. Each verifier, V 0 220, V, 221, V 2 222, has associated with it a verifier identifier V c . The 
verifier identifier is an input to the key derivation function. Depending on the key derivation function chosen, it may be 

30 possible to use simple verifier identifiers, such as three-letter codes, as verifier identifiers. Alternatively, the verifier 
identifier may be a number that is long and complex. It makes sense, if the verifier identifier is a long and complex number, 
to provide a user with an easy-to-remember name or mnemonic for a verifier, such as a number or a short alpha-numeric 
code. The name can be used to "look up" the actual verifier identifier from a preprogrammed table. 

The verifier identifier V c is used to derive verifier seeds S^,, Sy t , and Syj for each verifier using a key derivation 
function. Each verifier seed is transmitted over a secure channel to the respective verifier, so that verifier seed Syo is 

35 transmitted to verifier V 0 220, verifier seed Sy, is transmitted to verifier V., 221, verifier seed is transmitted to 
verifier V 2 222, and so oh. In one embodiment, the specific verifier seeds are recorded on portable media, such as a 
floppy disk, by the seed distribution server 212, and the disk is carried by hand and loaded onto the verifiers V n . In another 
embodiment,, the verifier specific seed Sy„ is transmitted over an encrypted communications channel over a computer 
network to each verifier V n . In other embodiments, other transmission schemes are used. The verifiers V n thus are provided 

40 with the verifier seed S*, associated with a particular token 21 1 . 

In operation, a user 213 uses the token 21 1 to authenticate to a verifier 220-222. For clarity, the authentication process 
will be described with regard to verifier V, 221, but it should be understood that a similar process is used for other 
verifiers. The user 213 enters a verifier identifier V c , or a code associated with the verifier identifier V D Into the token 21 1. 
In one embodiment, this is accomplished using the token's input buttons. In one embodiment, the code is the first few 

45 letters of the name of the verifier V, 221. In another embodiment, the code is a 1-button indicator of the appropriate verifier, 
and in another embodiment, the code is an identifier number. In other embodiments, other techniques are used to specify 
the verifier V, 221. In one embodiment the token 21 1 determines the verifier identifier from the code entered by the user 
213. The verifier identifier may in fact be the code associated with the verifier 221 entered by the user, or the token 211 
may otherwise derive the verifier identifier from the code entered by the user 213. for example by performing a hash or other 

50 mathematical operation, or by performing a lookup operation. 

The token 211 uses the verifier identifier to determine the verifier seed Sy,, for the verifier. The token 211 then uses the 
verifier seed to determine an authentication code that the user 213 can use to authenticate to the verifier 221. In one 
embodiment the code output by the token 211 is the resutt of a mathematical operation, such as a cryptographic operation, 
performed on the verifier seed In another embodiment, in additional to the code associated with the verifier 221, the 

55 user 213 also enters a personal identification number (PIN) into the token 211. In this embodiment, the code output by the 
token 211 is the result of a mathematical operation, such as a cryptographic operation, performed on the verifier 
seed Sy,, and the personal identification number entered by the user. In another embodiment the code output by the token 

211 is a result of a mathematical operation, such as a cryptographic operation, performed on the verifier seed the 
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personal identification number entered by the user, and other information, for example a value derived from the current 
time. 

The user reads the code that is output on the token's 211 display, and transmits the code to the verifier. This 
transmission may be accomplished in various ways, including, but not Bmited to, typing the code into a keypad or computer 

5 keyboard, writing or speaking the code, otherwise transmitting over a computer or telephone network and so on. The verifier 
221 determines whether the code is appropriate, for example, whether it is. in the above embodiment, correctly derived from 

. . the. verifier seed, the useris PIN, and the current time. If it was .correctly derived, the user. is authenticated, and access 
is granted. If the code is incorrect, other action may be taken, including, but not limited to, transmitting an alert sighai, 
allowing the user to try again, etc. 

10 To authenticate to another one of the verifiers, for example verifier V 0 220, the user 213 enters the code associated with 
that verifier. The token 21 1 determines the verifier seed for that verifier V 0 220, and provides an authentication code 
appropriate for that verifier V 0 220. 

In another embodiment of the token 211, the token is capable of storing static passwords, as well as determining 
authentication codes based on a verifier seed. The user enters static passwords in the token, and associates the static 

f5 password with a service identifier. When the user enters the service identifier into the token 211. the token 211 determines 
whether the service identifier indicates a static password that is stored in the token, or whether the service identifier 
indicates a verifier identifier. As described above, for dynamic authentication codes, the service identifier may be the 
verifier identifier or a reference to the verifier identifier. In one embodiment, the token also requires the user to enter a 
PIN or other code in order to obtain a stored static password. This embodiment allows the token to function as a multi- 

2Q purpose password/authentication tool that stores a user's static passwords, and provides authentication codes based on 
various verifier seeds based on the user's master seed. 

Referring to FIG. 5, a method for authentication includes generating the master seed S m (STEP 240). In one 
embodiment, a seed generator 210 generates the master seed S M . In various embodiments, the seed generator 210 is 
incorporated into the server 212, the token. 211, or a separate device 210. The seed generator 210 outputs the master seed 
so that it can be stored in the token 211 and in the seed distribution server 212. thus sharing the master seed S H with the 

25 token 211 and the seed distribution server 212 (STEP 241, STEP 244). In one embodiment, the master seed S M is 
generated by the token 211, and displayed once on the LCD display to allow sharing with the seed distribution server 212. 
In yet another embodiment, the seed distribution server 212 generates the master seed S M , and the master seed S„ is 
programmed into the token 211. The seed distribution server 212 determines the verifier seeds S Vn for each of the 
verifiers, using the master seed S M , a verifier identifier, and possibly other information as inputs (STEP 242). The seed 

30 distribution server 212 transmits the verifier seeds S*. to the verifiers 220-222 (STEP 243). 

In one embodiment, once the master seed S M has been shared, the token 21 1 stores the master seed S M in its memory 
{STEP 244). To authenticate with a verifier, the token 211 derives the seed appropriate for that verifier (STEP 245) using 
the master seed S M , a verifier identifier, and possibly other Information as inputs. The token 211 generates an 
authentication code based on the verifier seed Sy and possibly other information (STEP 246). In one embodiment, the 

35 authentication code is based on additional information such as a PIN, the current time, and so on. In such an embodiment, 
the authentication code is only useful for a short time period. The authentication code is transmitted to the verifier (STEP 
247). In one embodiment, a user 213 reads the authentication code from the token 211 display, and transmits the 
authentication code to the verifier. 
The verifier 221 receives tie verifier seed Sy, from the server, and stores the verifier seed Sv When the token attempts to 

40 verify with the verifier, the verifier determines an authentication code (STEP 248) from the verifier seed Sy. The 
authentication code is also determined by the additional information such as a PIN, the current time, and so on if that 
information is used by the token 211 to determine the authentication code. The verifier receives the authentication code 
(STEP 249) and authenticates the entity (STEP 250) by comparing the transmitted authentication code with the 
authentication code determined in STEP 247. 

45 Variations, modifications, and other implementations of what is described herein will occur to those of ordinary skill in 
the art without departing from the spirit and the scope of the invention as claimed. 

For example, an implementation can break the seed derivation into two or more steps without departing from the scope 
of the invention. In one such embodiment a temporary intermediate seed is derived from the master seed by mathematically 
combining the master seed with a time identifier. Verifier seeds are generated from the temporary intermediate seed and 

50 distributed periodically to the verifiers. This approach further restricts the scope of a potential compromise of either the 
temporary intermediate seed or the verifier seeds, because all such verifier seeds are considered "expired" at the end of a 
preselected time duration. In one such embodiment the temporary intermediate seed is derived from the master seed using 
a date identifier. Verifier seeds are generated daily from the temporary intermediate seed using the appropriate verifier 
identifiers. A server distributes these verifier seeds to the verifiers. A user's device generates the temporary intermediate 

gg seed each day using the time identifier, and then uses the temporary intermediate seed to derive verifier seeds for each 
verifier, using verifier information. 

Also, the invention can be used to have a single secret (the master seed) provide authentication within and outside of an 
enterprise. Within an enterprise, the enterprise issues a token to each user containing the master seed, and distribute 
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verifier seeds to various services within an enterprise. These services can each authenticate users using the shared secret, 
and/or authentication codes derived from the shared secret This compartmentalizes any compromise to a particular 
service. Outside of a single enterprise, the invention also allows for use of a single secret to enable authentication with a 
variety of unrelated services. Each of the unrelated services receive a verifier seed from the server that has the master 

5 seed. A user can then authenticate with each of the unrelated services separately, without the need for any prior 
communication between the user and each of the services. The user need only know the appropriate verifier identifier for 
the service. ■ ........ ... • . . ... . ..... 

In addition, an authentication code based on a verifier seed, as described above, can be used as an encryption key for 
secure communications between a user and a server that has a verifier seed for that user, the secure channel can be used 

10 for continued communications, or to securely communicate another encryption key for secure communications. 

Accordingly, the invention is to be defined not by the preceding illustrative description but instead by the scope of the 
foDowing claims. 

Claims 

15 1. a method for distributing authentication information associated with a device, comprising the steps of: 
generating a master seed associated with the device; 

deriving a verifier seed using the master seed and information associated with a verifier; and 

20 

transmitting the verifier seed to the verifier. 

2. The method of claim 1, further comprising, after the generating step, the step of transmitting the master seed to the 
25 device. 

3. The method of claim 1, further comprising, after the generating step, the step of sharing the master seed with the 
device and a server. 

^ Ji. The method of claim 1, further comprising, after the transmitting step, the steps of: 

deriving a second verifier seed using the master seed and information associated with a second verifier; and 
transmitting the second verifier seed to the second verifier. 

35 

5. The method of claim 1 , further comprising, after the transmitting step, the step of generating an authentication code in 
response to the verifier seed. 

6. The method of claim 5, wherein the authentication code generating step further comprises generating an 
40 authentication code in response to the verifier seed and a time dependent value. 

7. The method of claim 5, further comprising the step of authenticating using the authentication code. 

8. The method of claim 7, wherein the authenticating step comprises authenticating a user or a device by verifying the 
45 authentication code. 

9. The method of claim 8 wherein the authenticating step comprises transmitting the authentication code to the verifier. 

10. The method of claim 1 wherein the master seed generating step comprises at least one of randomly generating and 
50 pseudorandomfy generating the master seed. 

1 1. The method of claim 1 wherein the deriving step further comprises deriving the verifier seed in response to a time 
identifier. 

12 The method of claim 1, wherein the deriving step comprises deriving a verifier seed by using the master seed and 
information associated with a verifier as inputs to a key derivation function. 

13. The method of claim 12 wherein the key derivation function comprises a hash function. 
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14. A system for distributing authentication information associated with a device, comprising: 
a seed generator for generating a master seed associated with a device; 

a server for deriving a verifier seed using the master seed and information associated with a verifier and 
a transmitter for transmitting the verifier seed to the verifier. 

15. The system of claim 14, further comprising a transmitter for transmitting the master seed to the device. 

16. The system of claim 14, further comprising a communication channel for sharing the master seed with the device and 
the server. 

17. The system of claim 14, wherein the server derives a second verifier seed using the master seed and information 
associated with a second verifier, and wherein the transmitter transmits the second verifier seed to the second verifier. 

1a The system of claim 14, further comprising an authentication code generator for generating an authentication code in 
response to the verifier seed. 

19. The system of claim 18, further comprising an authentication code generator for generating an authentication code In 
response to the verifier seed and a time dependent vaJue. 

2a The system of claim 14, wherein the seed generator comprises at least one of a random and pseudorandom 
25 generator. 

21. The system of claim 14, wherein the server comprises a key derivation function. 
22 A method for authentication, comprising: 

30 

storing a master seed associated with a device; 

deriving a verifier seed using the master seed and information associated with a verifier; and 
35 generating an authentication code in response to the verifier seed. 

23. The method of claim 22. further comprising the step of authenticating a user with the authentication code. 

^ 24, The method of claim 23, further comprising the step of transmitting the authentication code to a verifier. 

25. The method of daim 23, further comprising the step of receiving the authentication code by a verifier. 

26. A system for authentication, comprising: 

45 a memory for storing a master seed associated with a device; 

a server for deriving a verifier seed using the master seed and information associated with a verifier and 
an authentication code generator for generating an authentication code in response to the verifier seed. 



50 
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27. A verifier for authentication, comprising: 

a data store for storing a verifier seed associated with a device; 
an input for receiving an input authentication code; and 

an authenticator for determining whether the input authentication code was correctly generated in response to the 



verifier seed. 
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A token, comprising: 

a data store for storing a master seed; 

a key derivation function for deriving a verifier seed from a master seed in response to information associated with 
a verifier; 

an authentication code generator for generating an authentication code in response to a verifier seed; and 
an output for providing the authentication code to a verifier. 

A method for authentication, comprising: 
generating a master seed; 

sharing the master seed between a token and a server, 

deriving a verifier seed from the master seed using a key derivation function; and 

transmitting an authentication code responsive to the verifier seed. 
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